registry  /  yana-ai  /  0.43.0

yana-ai@0.43.0

Audits your AI coding agent setup before it can damage your repo. 48 hooks · 1981 skills · 101 agents · Claude Code + Codex compatible.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates AI-agent control files during npm postinstall. It installs Claude hook/config surfaces into the consumer project without an explicit user command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of yana-ai@0.43.0 with lifecycle scripts enabled
Impact
A package install changes future Claude/agent behavior by adding tool hooks, prompt hooks, stop hooks, and async rewake commands in the project.
Mechanism
unconsented lifecycle write of AI-agent hooks and plugin config
Policy narrative
On install, npm runs the package postinstall script with --auto. Because TARGET is INIT_CWD or cwd, the installer writes package-supplied .claude hooks, commands, agents, rules, scripts, gates, and .claude-plugin metadata into the consumer project. The installed hook manifest then registers commands across Claude hook events, altering the AI-agent control surface after a dependency install rather than an explicit setup command.
Rationale
Static inspection confirms unconsented install-time AI-agent control-surface mutation, which is a blocking behavior for the firewall even though the files appear aligned with the package's safety-hook theme and no exfiltration was found. The risk is the lifecycle trigger, not a scanner label or hidden binary payload. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/npm-install.js.claude-plugin/hooks/hooks.json.claude-plugin/hooks/yana-audit-rewake.shcore/hooks/telemetry-sender.shscripts/yana-rt-wrapper.jscore/hooks/gitnexus-hook.jsTARGET/.claude/hooksTARGET/.claude/commandsTARGET/.claude/agentsTARGET/.claude/rulesTARGET/.claude/scriptsTARGET/.claude/gatesTARGET/.claude-plugin/plugin.jsonTARGET/.claude-plugin/marketplace.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/npm-install.js --auto
  • scripts/npm-install.js uses INIT_CWD/process.cwd as TARGET, not package dir
  • postinstall recursively copies core/hooks, core/commands, core/agents, core/rules, core/scripts, core/gates into TARGET/.claude
  • postinstall also writes .claude-plugin/plugin.json and marketplace.json into the installing project
  • copied .claude-plugin/hooks/hooks.json defines Claude hook commands for UserPromptSubmit, PreToolUse, PostToolUse, Stop
  • hooks include async rewake audit hook and tool interception/control surface changes
Evidence against
  • No credential harvesting or exfiltration found in installer
  • No network calls in scripts/npm-install.js
  • telemetry-sender.sh writes local .yana/telemetry.jsonl only
  • scripts/yana-rt-wrapper.js only execFileSyncs user-invoked yana-rt candidates
  • gitnexus-hook.js uses spawnSync without shell:true and mostly augments search context
  • Package purpose is AI-agent safety hooks, so many hook files are thematically aligned
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 66.8 KB of source

Source & flagged code

25 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/npm-install.js --auto
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/npm-install.js --auto
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
core/hooks/gitnexus-hook.jsView file
15const path = require('path'); L16: const { spawnSync } = require('child_process'); L17:
High
Child Process

Package source references child process execution.

core/hooks/gitnexus-hook.jsView on unpkg · L15
127if (useDirectBinary) { L128: return spawnSync(isWin ? 'gitnexus.cmd' : 'gitnexus', args, { L129: encoding: 'utf-8', ... L134: } L135: // npx fallback needs shell on Windows since npx is a .cmd script L136: return spawnSync(isWin ? 'npx.cmd' : 'npx', ['-y', 'gitnexus', ...args], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

core/hooks/gitnexus-hook.jsView on unpkg · L127
core/gates/structured-output-validator.jsView file
7L8: const fs = require('fs'); L9: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

core/gates/structured-output-validator.jsView on unpkg · L7
scripts/npm-install.jsView file
1Install-time AI-agent control hijack evidence: L3: * yana-ai npm installer L4: * Copies plugin files to .claude/ in the current project. L5: * Run: npx yana-ai OR yarn yana-ai ... L15: const COPY_DIRS = [ L16: ["core/hooks", ".claude/hooks"], L17: ["core/commands", ".claude/commands"], L18: ["core/agents", ".claude/agents"], L19: ["core/rules", ".claude/rules"], L20: // ── core/scripts + core/gates ────────────────────────────────────────────── ... L22: // they're listed in package.json "files" (so they DO ship inside the npm L23: // tarball) — they just never landed in the target project's .claude/. L24: // Several installed hooks reference them by relative path: Payload evidence from core/agents/verify-agent.md: L1: --- L2: name: verify-agent
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/npm-install.jsView on unpkg · L1
core/gates/identity-gate.shView file
path = core/gates/identity-gate.sh kind = build_helper sizeBytes = 9743 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

core/gates/identity-gate.shView on unpkg
.claude-plugin/hooks/yana-audit-rewake.shView file
path = .claude-plugin/hooks/yana-audit-rewake.sh kind = payload_in_excluded_dir sizeBytes = 1696 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude-plugin/hooks/yana-audit-rewake.shView on unpkg
core/agents/test-engineer.mdView file
116patternName = generic_password severity = medium line = 116 matchedText = password...3!',
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L116
155patternName = generic_password severity = medium line = 155 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L155
168patternName = generic_password severity = medium line = 168 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L168
174patternName = generic_password severity = medium line = 174 matchedText = { email:...' },
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L174
175patternName = generic_password severity = medium line = 175 matchedText = { email:...' },
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L175
188patternName = generic_password severity = medium line = 188 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L188
core/commands/api-scaffold.mdView file
1540patternName = generic_password severity = medium line = 1540 matchedText = test_pas...123"
Medium
Secret Pattern

Hardcoded password in core/commands/api-scaffold.md

core/commands/api-scaffold.mdView on unpkg · L1540
core/commands/test-harness.mdView file
1197patternName = generic_password severity = medium line = 1197 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1197
1235patternName = generic_password severity = medium line = 1235 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1235
1251patternName = generic_password severity = medium line = 1251 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1251
1277patternName = generic_password severity = medium line = 1277 matchedText = const pa...23';
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1277
1298patternName = generic_password severity = medium line = 1298 matchedText = const pa...rd';
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1298
core/commands/db-migrate.mdView file
1401patternName = generic_password severity = medium line = 1401 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in core/commands/db-migrate.md

core/commands/db-migrate.mdView on unpkg · L1401
1411patternName = generic_password severity = medium line = 1411 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in core/commands/db-migrate.md

core/commands/db-migrate.mdView on unpkg · L1411
core/commands/config-validate.mdView file
688patternName = generic_password severity = medium line = 688 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/commands/config-validate.md

core/commands/config-validate.mdView on unpkg · L688
701patternName = generic_password severity = medium line = 701 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/commands/config-validate.md

core/commands/config-validate.mdView on unpkg · L701
715patternName = generic_password severity = medium line = 715 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in core/commands/config-validate.md

core/commands/config-validate.mdView on unpkg · L715

Findings

1 Critical4 High22 Medium3 Low
CriticalAi Agent Control Hijackscripts/npm-install.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processcore/hooks/gitnexus-hook.js
HighRuntime Package Installcore/hooks/gitnexus-hook.js
HighPayload In Excluded Dir.claude-plugin/hooks/yana-audit-rewake.sh
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirecore/gates/structured-output-validator.js
MediumEnvironment Vars
MediumShips Build Helpercore/gates/identity-gate.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/commands/api-scaffold.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/db-migrate.md
MediumSecret Patterncore/commands/db-migrate.md
MediumSecret Patterncore/commands/config-validate.md
MediumSecret Patterncore/commands/config-validate.md
MediumSecret Patterncore/commands/config-validate.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings